Adding service account info to controller docs #2978
Conversation
EMcWhinn
added
documentation
|
|
||
| * A service account created, if you are using *Client ID* and *Client secret*. | ||
| For more information see, link:https://docs.redhat.com/en/documentation/red_hat_hybrid_cloud_console/1-latest/html/creating_and_managing_service_accounts/proc-ciam-svc-acct-overview-creating-service-acct#proc-ciam-svc-acct-create-creating-service-acct[Creating a service account]. | ||
|
|
There was a problem hiding this comment.
Somewhere here or in the linked section, we need to mention that in the Console, under User Access, they need to create an analytics admin group with all 3 of the options selected in order to work properly with AAP.
|
Also, you might want to include a small section or add a troubleshooting section in the "Creating and Managing Service Accounts" to include the procedure for a project sync failure. The process involves doing a remediation, address any inventory inconsistencies, and check analytics logs. |
|
thanks for putting up this PR. We may want to highlight the set of permissions that a service account will need in order to be used correctly in AAP These permissions are set up in console.redhat.com by an Org Admin I believe the following AAP actions will require the these roles: but we need to verify the above. We can either validate it by looking into Insights docs, or trial and error by adding and removing roles and seeing what passes/fails in AAP |
|
Thanks @tvo318 and @fosterseth for review. I've added permissions info based on the information in the KB here: Let me know if there is anything else we should add. |
|
|
||
| * To use token-based authentication, you must create a Red Hat service account to generate a *Client ID* and *Client secret*. | ||
| * Assign this service account to the appropriate *User Access* group with necessary permissions. | ||
| * You must be an Organization Administrator when link:https://docs.redhat.com/en/documentation/red_hat_hybrid_cloud_console/1-latest/html/creating_and_managing_service_accounts/proc-ciam-svc-acct-overview-creating-service-acct#proc-ciam-svc-acct-create-creating-service-acct[Creating a service account]. |
There was a problem hiding this comment.
to clarify, you don't need to be an Org Admin to create a service account in console.redhat.com. However, only an Org Admin can add a service account to an RBAC group in console.redhat.com.
So if you aren't an org admin, you would create your service account, then ask your Org admin to add your account to the appropriate group.
There was a problem hiding this comment.
Thanks @fosterseth, regarding "...Insights project syncing with a service account credential, the remediations should be created with that same service account via the API"
Do you think we need to include this in the prerequisites or or within the procedure itself maybe? And do we need to include the curl commands to create a remediation with a service account? Thanks.
| .Prerequisites | ||
|
|
||
| * A service account created. | ||
| For more information see, link:https://docs.redhat.com/en/documentation/red_hat_hybrid_cloud_console/1-latest/html/creating_and_managing_service_accounts/proc-ciam-svc-acct-overview-creating-service-acct#proc-ciam-svc-acct-create-creating-service-acct[Creating a service account]. |
There was a problem hiding this comment.
we may want to mention that the service account used for Analytics needs to have Analytics Administrator viewer role in console.redhat.com
Document controller changes needed for service accounts https://issues.redhat.com/browse/AAP-36066 Affects `titles/controller-user-guide``
Document controller changes needed for service accounts
https://issues.redhat.com/browse/AAP-36066
Affects `titles/controller-user-guide``